Patent Application
20250085907
The invention relates to a method and a system for secure printing and specifically to authentication of users for secure printing.
When someone prints a file, the document usually reaches the output tray of a printer within seconds. Therefore, when the user who submitted the print job arrives at the printer, the output waits there “unattended.” If another user is at the printer at that moment, that user can view the printed document or even take it with them.
Secure (& Pickup) Printing (also known as Pull Printing or Follow Me Printing) refers to an output process by which printouts are not output directly with the printing process on the selected printer. Instead, they are held until the user identifies himself at the printer and authorizes the output. Pull printing offers many business benefits. It protects sensitive information during the printing process, reduces costs by eliminating unclaimed documents, and increases user mobility and productivity by allowing them to print anytime, anywhere.
In a more modern approach, managed print providers are moving to the “cloud” and e.g. using Microsoft Universal Print. This controls printers via the cloud and assigns a print job to the correct printer using Universal Print. Then the print job is sent to the printer, sometimes even without the connection, but the local network after a direct connection is established. The advantage of this system is that no local print server needs to be installed, and managed print solutions can be installed at any time via the cloud, for example, via the Azure Web Store, or via another cloud service such as AWS or Google.
Wallet apps are apps that are used to store digital cards such as admission tickets, vouchers, customer cards, or boarding passes on the one hand, and on the other hand store means of payment such as credit cards that can be used to pay with the smartphone at the checkout in retail stores. The two best-known wallet apps are Apple Wallet and Google Pay.
Apple Wallet is Apple's native wallet solution that comes pre-installed on all iOS devices since iOS 6 (released in 2012). One can store in the app all the cards that would otherwise be found in your wallet, such as coupons, loyalty cards, tickets or boarding passes, as well as credit cards that can be used with Apple Pay. But there are a few more features that a wallet certainly can't do, such as changing the design of cards if they're already stored on your smartphone, or sending push notifications.
Google Pay is Google's wallet solution for cards and mobile payments. The features in Google Pay designed to store and manage digital cards are grouped under the name “Google Pay for passes” and received a major update in 2018, adding support for tickets and boarding passes, for example. Google Pay has been around for a few years, and the app was previously called Android Pay. Google Pay, unlike Apple Wallet, is not pre-installed on most Android devices, but it is linked directly to users' Google accounts, which simplifies the user experience—for example, cards stored on a desktop computer are automatically synchronized to users' smartphones.
Passes are a digital representation of information that might otherwise be printed on small pieces of paper or plastic. They let users take an action in the physical world. Passes can contain images and a barcode, and may be updated using push notifications. A pass library contains the user's passes, and users view and manage their passes using the Wallet app.
Classically, RFID readers for print release today are integrated into a printer or plugged into a printer via USB.
If the printer is controlled via a print server, so that only the print job belonging to the user who is currently authenticating himself at the RFID reader, gets printed out, one of the biggest problems is being able to establish a communication link between the RFID reader and the print server. According to the state of the art, this must always be supported by a corresponding firmware or firmware extension (app) of the printer, but this is not always the case. Today, it is not possible to connect any printer with an RFID reader in such a way that the reader can connect to a server via the printer and exchange data. Especially smaller and cheaper printers, as they are typically used in small offices, do not provide support for an RFID reader by a printer.
The problem to be solved by the invention is to provide a method with which the logical assignment of a reader is simplified and largely automated. Almost any network-compatible printer should be usable for this purpose. An adaptation of the firmware in the printer shall no longer be necessary. The setup of the connection between a reader and a printer should be so simple that it can be carried out without special training and instruction.
Another problem to be solved is to provide secure printing with printers which are dynamically assigned to a specific user.
Solutions of the problems are described in the independent claims. The dependent claims relate to further improvements of the invention.
A method of secure printing (here also follow-me print) allows selection of a printer by a user at the time of printing. A print job with a user identifier is sent to a print server. The user identifier identifies the user who needs and/or is authorized to receive the prints from the print job. The user identifies with a RFID reader attached and/or assigned to a printer, by e.g. A RFID tag and/or a mobile device. The RFID reader reads a user print credential and transmits this together with its own unique reader identifier to the print server. The print server selects based on the user print credential at least one print job with a matching user identifier e.g., from a table and/or database. Finally, the print server sends the at least one selected print job to a network printer assigned to the RFID reader.
This solution is completely independent from any software and/or firmware of a printer. It does not need a printer supporting a RFID reader for authentication. An assignment between any printer and any RFID reader may be stored in a table and/or database which may be or at least accessible by the print server. Such assignments may be directly red, manually entered or configured by a method as described herein.
A method according to an embodiment ensures, that a reader, e.g., a RFID reader is uniquely assigned to a printer during a one-time setup. Herein reference is made to an RFID reader. Instead, any suitable reader may be used. Such a reader may also be a reader having a network and/or cloud connection, e.g., a LPWAN like NB-IoT, LoRaWAN, Wi-Fi, WiFi HaLow or a similar technology.
The system for uniquely assigning an RFID reader to a printer may include the components described below:
A user interface, which may be run as standalone software on a computer.
A Pass Deployment Center (PDC) which may generate credentials and make them available for download.
A print server which can be operated on-premises or in a cloud.
At least one mobile device, e.g. a cell phone that is configured to read and interpret a machine-readable code, which may be a QR code or any other code, e.g. linear barcode, or clear text as used in Machine Readable Zones (MRZ) in travel documents, via a camera and which further may have an RFID/NFC interface.
At least one network printer, which may be logically linked to an RFID reader, as well as a corresponding number of RFID readers.
The RFID reader may be equipped with a network interface that may be configured to wirelessly communicate with the print server.
The system according to the invention is configured for logically linking an RFID reader with a network printer. After successful linking, a print output may be directed to the linked network printer by presenting a valid RFID badge at the reader.
To set up the system, proceed as described below. It is assumed that the printers concerned are accessible in the network and RFID readers are installed in the physical vicinity of the printer. The RFID readers are connected to the Internet via WLAN, NB-IoT, LoRaWAN network, THREAD Mesh network, WiFi HaLow or another medium. The steps described are initiated by a user or system administrator, who is referred to below as the key user.
Normally, the payload for NFC messages is limited, e.g., to 64 Bytes. This may be too little to store additional information, such as a (direct) URL to a print server. For this reason, a possible extension of the method is to provide an additional configuration server, which may be (initially) addressed by all readers under a known, pre-programmed URL. After transmission of the credential, which may be part of a unique token the configuration server may determine the correct print server. The token, or the configuration, may then be forwarded to the intended print server by the configuration server.
In an embodiment, an index (a few bits or bytes) may be sent to a list of URLs of known print servers in the (64-byte) payload, which may be stored in the reader as a table.
In an embodiment, an additional configuration server may be used. This server may forward information received from a RFID reader to a dedicated print server. The configuration server takes over the task of a router, which generates the complete unique link (URL) of the print server from a print server ID stored in the credential (e.g. from a database). This may be used if the storage capacity of the credential is not sufficient to transmit all information for the configuration in full length.
This forwarding process may also be performed for future print releases. However, it is equally possible for the configuration server to provide the valid URL to the reader for further use.
In an embodiment, the procedure above differs in step h) including:
In a further embodiment, step h) may be replaced by:
In another embodiment, the software with a user interface on a computer system is omitted completely. The printer is set up in such a way that it automatically logs on to a print server either during initial startup, or on request in a configuration mode. The sequence of steps a-d is modified here.
In an embodiment, the configuration server may be part of the print server.
Another embodiment relates to a method of printing by a network printer including the steps of:
The user identifier may be a UUID, a username, a login name and/or any unique identifier of a user and/or user group. The user identifier may at least be unique within the network, which has access to the print server. Further information, like an ID or address of the personal computer, laptop or mobile device may be included within the user identifier.
The unique reader identifier may be a UUID or any network address, e.g. IP address, MAC address and others. It may be any identifier which is unique for a RFID reader or a group of RFID readers preferably in the network in which the RFID reader is used and/or which has access to the printers.
Matching of the user print credential with at least a matching user identifier may be based on a table and/or database providing user print credentials and user identifier. Matching may also be made if the user print credentials are the same as the user identifiers.
The assignment server which may be part of or included into the print server may hold assignment information, e.g. as a table or as a database. Such assignment information relates to the assignments of RFID readers to printers, e.g. which RFID reader is assigned to which printer. The assignment information may be directly available and/or stored at the print server. The assignment information may be collected manually and/or by the method disclosed herein. The assignment server may be the configuration server further mentioned herein.
For network printer selection, a previously established assignment between the unique reader identifier and the network printer is used. The assignment information may be directly available and/or stored at the print server. The assignment information may be collected manually and/or by the method disclosed herein. The assignment information may be held in at least one table and/or a database. The printer may be identified by a network address, e.g. IP address, MAC address or a DevEUI in a LORA network.
In an embodiment, all steps following step a) are repeated for every print job. An assignment of a printer to a RFID reader may only be made once. Such an assignment of an RFID reader to a network printer may be made according to the method as disclosed above. Any other suitable method may also be used. For example, a barcode or QR code may be printed on the RFID reader. This may be scanned together with a printed code from the printer or a printer identifier which may also be from a barcode on the printer. Botch codes may be forwarded to an authentication server or a print server.
In a further embodiment, step d) includes the following steps:
The embodiments described above may be operated in parallel in an installation if required. For example, an installation may operate both printers that can log on directly to the print server and printers for which configuration software must be used.
The basic concept of the invention relates to devices configured to and a method of assignment of an RFID reader to a network printer includes the steps of: transmitting a unique printer identifier to a pass deployment center and to a print server, generating a machine-readable code, e.g. a QR code including a unique link to a confirmation credential, further including the unique printer identifier, and printing the machine readable QR code by the printer or displaying it on a display of the printer. Further steps include reading by a mobile device the printed and/or displayed QR code and generating a wallet pass by loading the confirmation credential via the link. Then the credential is transferred to a RFID reader, which further transmits the credential together with its own unique reader identifier to the print server, which establishes an assignment between the printer and the reader based on the unique printer identifier and the unique reader identifier.
In the following the invention will be described by way of example, without limitation of the general inventive concept, on examples of embodiment with reference to the drawings.
Generally, the drawings are not to scale. Like elements and components are referred to by like labels and numerals. For the simplicity of illustrations, not all elements and components depicted and labeled in one drawing are necessarily labels in another drawing even if these elements and components appear in such other drawing.
While various modifications and alternative forms, of implementation of the idea of the invention are within the scope of the invention, specific embodiments thereof are shown by way of example in the drawings and are described below in detail. It should be understood, however, that the drawings and related detailed description are not intended to limit the implementation of the idea of the invention to the particular form disclosed in this application, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the present invention as defined by the appended claims.
The system 100 for uniquely assigning an RFID reader to a printer may include the components described below:
In an embodiment, an index (a few bits or bytes) may be sent to a list of URLs of known print servers in the (64-byte) payload, which may be stored in the reader as a table.
The system according to an embodiment may be configured for logically linking an RFID reader 160 with a network printer 150. After successful linking, a print output may be directed to the linked network printer by presenting a valid RFID badge at the reader.
The sequence of assigning a reader to a printer may include the following steps, which may be initiated by a user or system administrator, who is referred to below as the key user.
In an embodiment, the configuration server 180 may be part of the print server 130.
In an embodiment, the printers concerned are accessible in the network and RFID readers may be installed in the physical vicinity of the printer. The RFID readers may be connected to the Internet via WLAN, NB-IoT, LoRaWAN or another medium.
Here, in addition to the previous embodiment, an additional configuration server 180 is provided.
Normally, the payload for NFC messages is limited. Apple only allows 64 bytes at the time of this disclosure. This may be too little to store additional information, such as a (direct) URL to a print server. For this reason, a possible extension of the method is to provide an additional configuration server 180, which may be (initially) addressed by all readers under a known, pre-programmed URL. After transmission 281 of a unique token, the configuration server may determine the correct print server. The token, or the configuration, may then be forwarded to the intended print server by the configuration server.
In particular, the configuration server 180 server may forward 282 information received from a RFID reader 160 to a dedicated print server 130. The configuration server 180 takes over the task of a router, which generates the complete unique link 106 (URL) of the print server from a print server ID stored in the credential 105 (e.g., from a database). This may be used if the storage capacity of the credential is not sufficient to transmit all information for the configuration in full length.
The procedure shown in
In this embodiment, the software with a user interface on a computer system 110 is omitted completely. The printer 150 is set up in such a way that it automatically logs on to a print server 130 either during initial startup, or on request in a configuration mode. The sequence of steps a-d is modified here.
Here, in addition to the previous embodiment, a LoRa network server (LNS) 175 and at least one gateway 177, 178 in vicinity of at least one of the readers 160, is provided.
While LPWAN (Low Power Wide Area Network) technologies normally provide a continuous IP-connection between a client and a base station, LoRaWAN does not use a controlled connection. The RFID-reader 160 in this embodiment may be configurated as a LoRaWAN node. After having read a RFID tag, the reader may send an encrypted message that is received by at least one LoRa gateway 177, 178 remote of the reader. The received message is forwarded to the related LNS 175, where it will be decrypted. The LoRa Message may contain a unique reader identifier 104. The unique reader identifier 104 may also be or include at least one of a 64-bit unique DevEUI, an end-device identifier which uniquely identifies the reader, and a 64-bit AppEUI, an application identifier which uniquely identifies the application, and a variable number of application-data. The application data may include data, read via RFID from a RFID token.
The procedure shown in
Instead of a wireless network, a wired network may be used.
It will be appreciated to those skilled in the art having the benefit of this disclosure that implementations this invention provide a method for secure printing. Further modifications and alternative embodiments of various aspects of the invention will be apparent to those skilled in the art in view of this description. Accordingly, this description is to be construed as illustrative only and is provided for the purpose of teaching those skilled in the art the general manner of carrying out the invention. It is to be understood that the forms of the invention shown and described herein are to be taken as the presently preferred embodiments. Elements and materials may be substituted for those illustrated and described herein, parts and processes may be reversed, and certain features of the invention may be utilized independently, all as would be apparent to one skilled in the art after having the benefit of this description of the invention. Changes may be made in the elements described herein without departing from the spirit and scope of the invention as described in the following claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 22162963.7 | Mar 2022 | EP | regional |
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/EP2023/054023 | Feb 2023 | WO |
| Child | 18884887 | US |
